Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

LAS VEGAS—The opening keynote for Black Hat USA on Aug. 7 had a strong message, there is a better way to do security than simply fixing one bug at a time.

Jeff Moss, founder of Black Hat said that modern cyber-security technologies tend to favor offense and the time has now come to change the momentum in favor of defense, which is theme that was echoed by Parisa Tabriz, director of engineering at Google.

"We have to stop playing whack-a-mole and we have to be more ambitious, strategic and collaborative in our approach to defense," Tabriz said.

Further reading

Tabriz helps to oversee security efforts at Google including managing the Project Zero research team which reports vulnerabilities and works with vendors to help fix flaws. She said that there have been lots of times in her career where she felt like she was working a real world version of the whack-a-mole arcade game where a plastic mole pops up and the player has to hit it with a hammer. Tabriz said that she is annoyed when she sees media reports on software vulnerabilities that the industry has known about but just haven't had time to address.

"Computer security is increasingly the security of the world and we have to do more to solve problems," Tabriz said. "It's up to us."

Recommendations

Tabriz didn't just come to Black Hat to tell attendees that things have to improve; she also came with a three-step process for how to improve the state of cyber-security.

The first step advocated by Tabriz is to tackle root causes of security vulnerabilities rather than just fix surface issues. Next, she suggests that organizations need to be more intentional in their cyber-security investments and pick milestones that can be achieved. Finally she suggests that it's important to build a coalition of champions and supporters to help ensure the success of security efforts.

"We can't be satisfied with only isolated fixes," Tabriz said.

To that end she suggests that whenever a bug is found developers should dig deep to understand why the bug occurred. That can lead to an understanding on why a certain type of defect testing is or isn't being done. Tabriz suggested that by asking deeper questions about why bugs occur, it's possible to highlight the structural and organizational root causes that have to change.

Shorten bug disclosure deadlines

One of the methods used by Google to improve security has been in tightening up the disclosure period for vulnerabilities. Tabriz said that over the past four years, Google Project Zero has found more than 1,400 vulnerabilities across different targets.

Project Zero has a 90-day disclosure policy that gives software vendors 90 days from the time a bug is privately reported until the time Google publicly discloses the issue. Tabriz said that the deadline-driven approach to disclosure has caused some short term pain for organizations, but it has helped to improve industry responses overall.

"Sticking to deadlines has resulted in vendors rallying and investing in making structural changes both technically and at an organization level—that wasn't happening previously," Tabriz said.

According to Tabriz, vendors now routinely have faster responses to Google Project Zero. In one case, she said that a major vendor doubled the number of security updates it releases each year while another large vendor improved their patch response time by as much as 40 percent.

Tabriz said that at Black Hat and other security conferences, people talk about new problems and attacks. In her view, she emphasized that it's now time to think differently and not focus on just solving individual problems.

"We want to tackle root causes and stop playing whack a mole," she said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.